postMessage Vulnerability

postMessage Vulnerability refers to security issues arising from improper use of the window.postMessage() API, which enables cross-origin communication between windows. Vulnerabilities occur when origin validation is missing or messages are processed unsafely.

How postMessage Works

// Sender (e.g., in iframe or popup)
targetWindow.postMessage(data, targetOrigin);

// Receiver
window.addEventListener('message', function(event) {
  // event.origin - sender's origin
  // event.data - the message content
  // event.source - reference to sender window
});

Vulnerable Patterns

// VULNERABLE: No origin check
window.addEventListener('message', function(event) {
  eval(event.data);  // Arbitrary code execution!
});

// VULNERABLE: Using * as targetOrigin
window.postMessage(sensitiveData, '*');  // Any window can receive

// VULNERABLE: Weak origin validation
if (event.origin.indexOf('trusted.com') !== -1) {
  // Bypassed with: attacker-trusted.com
}

Secure Implementation

// Receiver: Validate origin strictly
window.addEventListener('message', function(event) {
  if (event.origin !== 'https://trusted.com') {
    return;  // Reject untrusted origins
  }
  // Safely process event.data (avoid eval, innerHTML)
});

// Sender: Specify exact origin
window.postMessage(data, 'https://specific-origin.com');

Exploitation Scenarios

• XSS via unsanitized message content
• Sensitive data leakage to attacker windows
• DOM manipulation through injected messages
• OAuth token theft from cross-origin popups

See Also

• Same-Origin Policy
• DOM-based XSS
• Cross-Origin Resource Sharing